Debian Security Advisory
DLA-2113-1 cloud-init -- LTS security update
- Date Reported:
- 21 Feb 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 951362, Bug 951363.
In Mitre's CVE dictionary: CVE-2020-8631, CVE-2020-8632.
- More information:
In cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.
In cloud-init, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.
For Debian 8
Jessie, these problems have been fixed in version 0.7.6~bzr976-2+deb8u1.
We recommend that you upgrade your cloud-init packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS